1) This is my search:
http://i.imgur.com/VJ9yxuk.png
As you can see, time range is ok. When I press Job Inspector I get fields for example:
searchEarliestTime 1391941200.000000000
searchLatestTime 1391942940.000000000
So it should work fine, but I don't know why there is written "before".
2) This is my dashboard:
<?xml version='1.0' encoding='utf-8'?>
<dashboard refresh="60">
<label>Cloud Monitor</label>
<row>
<single>
<searchName>CDP All errors and warnings 2</searchName>
<option name="beforeLabel">CDP Total:</option>
<option name="classField">range</option>
<option name="count">10</option>
<option name="displayRowNumbers">true</option>
<option name="linkSearch"> | savedsearch "CDP ALL"</option>
<option name="linkView">flashtimeline</option>
</single>
<table>
<searchName>Cloud Monitor: All Disaster and High</searchName>
<option name="beforeLabel">Cloud Total:</option>
<option name="classField">range</option>
<option name="count">10</option>
<option name="displayRowNumbers">true</option>
<option name="linkSearch">| savedsearch "Cloud: All Disaster and High"</option>
<option name="linkView">flashtimeline</option>
</table>
<single>
<searchName>Cloud Monitor Amazon: All Disaster and High</searchName>
<option name="beforeLabel">Cloud Amazon:</option>
<option name="classField">range</option>
<option name="count">10</option>
<option name="displayRowNumbers">true</option>
<option name="linkSearch">| savedsearch "Cloud Amazon: All Disaster and High"</option>
<option name="linkView">flashtimeline</option>
</single>
</row>
</dashboard>
I have problem only with second search. I changed it from Single Value to Table for debugging.
3) cloud_status could have state PROBLEM, ERROR or OK.
I get logs like:
cloud_hostname="host1.name.net" cloud__info="High IO disk usage" cloud_status="ERROR"
when problem disappear I get information:
cloud_hostname="host1.name.net" cloud__info="High IO disk usage" cloud_status="OK"
So when I search last 30 minutes and then dedup events I can check if there is ERROR or everything is OK. Then the last event is ERROR I get "stats count" higher than 0, when last cloud_status is OK the result should be 0.
I hope that I described it clearly.
What is also interesting, when I copy that problematic search and just paste it to the XML everything works good.
<searchString>index=cloud (cloud_severity="High" OR cloud_severity="Disaster") | dedup cloud_info,cloud_hostname | search ((cloud_status="PROBLEM" AND NOT cloud_hostname="*.c1a.net") OR (cloud_status="Error" AND cloud_hostname="admin@tattle")) | stats count as lista | rangemap field=lista low=0-0 default=severe</searchString>
<earliestTime>-30m@m</earliestTime>
<latestTime>-1m@m</latestTime>
... View more